We are working to develop a Splunk project that audit the accesses and modifications to the files stored in several folders in several HP-UX servers, published by NFS.
Our first problems are blocking the project, so I hope you can help me with these:
1. The operating system logs show the actions executed in local over the files, with relative path, so we can´t identify certainly if a concrete file has been read / modified / deleted
2. One alternative is, having in mind each register in the log can identify the associated filesystem, mounting the folder to audit in an independent filesystem, but this idea generates the inconvenience of needing the constant mounting of this ‘extra’ filesystem in the monitored server. Anyway, this 'solution' only audit the local access, no via NFS.
3. By other hand, it exists a configuration parameter (‘audit_track_paths’) that enables the use of absolute paths, but this parameter only exists with HP-UV 11.31 version, and currently the customer servers haven´t got this version.
4. Finally, the audit files (not logs) in HP-UX systems are not plane text files, so we´d need any integration with Splunk taking advantage of the script data input. In the 'audit' command man page I found several C functions that enable to me to create a script to link it in a Script Data Input.
Have anybody any experience about any similar environment / project to help me or guide to me.